Saturday, February 2, 2019

Stratosphere


STRATOSPHERE

- Layout for this exercise:




1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Stratosphere, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu/

2 - ENUMERATION

Stratosphere's IP is 10.10.10.64:




- Scanning with Nmap:




- Connecting with the browser:





- Bruteforcing with Dirbuster and the medium size directory list:




Dirbuster finds folders like /manager or /Monitoring:





- Going to /Monitoring we are redirected to this web page:




- Clicking Sign On:





- In both cases let's notice the presence of the extension .action, what is a class used by Apache Struts

https://svn.apache.org/repos/asf/struts/archive/trunk/struts-doc-1.1/api/org/apache/struts/action/Action.html





3 - EXPLOITATION

Apache Struts is vulnerable to multiple exploits, like explained at CVE-208-11776:

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-11776





- There are a lot available exploits, so let's take for instance the Python script struts-pwn:





- Downloading to Kali:








- Reading README.md we find an example of usage:





- Now let's check that the script works (by default it runs the command id):





- Also, we can use the script to read /etc/passwd:



... etc ...


- Listing /home content:




- Listing richard's folder content:




- Reading db_connect we find credentials for databases ssn and users:





- Showing tables from database users we find the table accounts:





- Selecting * from table accounts we find a password for user richard:



- Connecting to SSH with user richard's credentials we get a low privileged remote shell:

richard:9tc*rhKuG5TyXvUJOrE^5CK7k





4 - CAPTURING THE 1st FLAG

- Reading user.txt:





5 - PRIVILEGE ESCALATION

- However access to the root folder is denied, so we need Privilege Escalation:



- User richard has got some sudoer privileges:





- Reading test.py content it seems that it holds some encoding/decoding and hashing processes:




- Executing test.py, just in case, it does not show any output:




- Let's see that test.py imports hashlib, so we can write hashlib.py in this way:



- Now, just following the sudoer message and executing the command a root shell is achieved:







6 - CAPTURING THE 2nd FLAG

- Reading root.txt: